53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
Another TODO list is available here:
|
|
|
|
https://www.netbsd.org/~rmind/npf/__tasklist.html
|
|
|
|
====== DOCUMENTATION ======
|
|
|
|
-- how to convert other packet filters to npf
|
|
|
|
-- add more examples
|
|
|
|
====== NPFCTL ======
|
|
|
|
-- npfctl start does not load the configuration if not loaded.
|
|
It is not clear you need to reload first. Or if it loads it should
|
|
print the error messages. Or it should be called enable/disable since
|
|
this is what it does. It does not "start" because like an engine with
|
|
no fuel, an npf with no configuration does not do much.
|
|
|
|
-- npf starts up too late (after traffic can go through)
|
|
|
|
-- although the framework checks the file for consistency, returning EINVAL
|
|
for system failures is probably not good enough. For example if a module
|
|
failed to autoload, it is probably an error and it should be reported
|
|
differently?
|
|
|
|
-- startup/stop script does not load and save session state
|
|
|
|
-- add algo for "with short"
|
|
|
|
-- implement "port-unr"
|
|
|
|
-- implement block return-icmp in log final all with ipopts
|
|
|
|
-- handle array variables in more places
|
|
|
|
====== GENERAL ======
|
|
|
|
-- disable IPv4 options by default, and add a "allow-ip4opts" feature to
|
|
enable them
|
|
|
|
-- disable IPv6 options (IPPROTO_ROUTING, IPPROTO_HOPOPTS and IPPROTO_DSTOPTS)
|
|
by default, and add a "allow-ip6opts" feature to enable them
|
|
|
|
-- add an ioctl, similar to PF's DIOCNATLOOK and IPF's SIOCGNATL, and document
|
|
it so that it can be added in third-party software, like:
|
|
https://github.com/squid-cache/squid/blob/5b74111aff8948e869959113241adada0cd488c2/src/ip/Intercept.cc#L263
|
|
|
|
-- support IPv6 jumbograms
|
|
|
|
-- support large IPv6 options, as explained here:
|
|
http://mail-index.netbsd.org/tech-net/2018/04/08/msg006786.html
|
|
But it's not a big problem - perhaps we don't care at all.
|